Kaspersky Lab Helped NSA Catch an Alleged Data Thief

The National Security Agency discovered what has been called the largest breach of classified data in its history after a tip from a Russian cyber-security firm that the US government has banned from its networks as a spy threat, according to people familiar with the matter.

Federal prosecutors in August 2016 arrested a former NSA contractor, Harold Martin, accusing him of taking home without permission at least 50 terabytes of data – the rough equivalent of 500 million pages of material – that included highly sensitive hacking tools.

But it was not the NSA’s enhanced vigilance that led to Martin’s arrest at his home in Glen Burnie, Maryland.

Rather, earlier that month, Moscow-based Kaspersky Lab notified the NSA it had received some strange Twitter messages from Martin seeking to speak with Kaspersky’s founder, along with a cryptic comment, “shelf life, three weeks,” according to two people familiar with the matter, who spoke on the condition of anonymity to discuss an ongoing investigation.

The messages were sent shortly before a massive online release of NSA hacking tools, according to a court document made public last month. The coincidence startled Kaspersky researchers who received the messages, and through Internet sleuthing figured out who Martin was.

Both the court document and Kaspersky’s role in alerting the NSA were first reported by Politico.

The release of NSA tools by a group calling itself “The Shadow Brokers” rattled the agency, and suspicion immediately fell upon Martin, who had access to the NSA’s elite hacking unit.

However, while US intelligence officials said they have long believed The Shadow Brokers is linked to Russian intelligence, no evidence has emerged publicly in Martin’s case to suggest he was the group’s source. Martin, who is in plea negotiations over charges of willful retention of national defence information and theft of government property, is not facing accusations that he transmitted classified material to any unauthorised recipient.

Kaspersky Lab declined to comment, as did Martin’s defence attorney, James Wyda, and the US attorney’s office for the District of Maryland, which is prosecuting Martin. His trial is set for June.

For years, US intelligence agencies suspected the company, founded by Eugene Kaspersky, a graduate of a KGB-supported cryptography school, was enabling Russian espionage. In early 2015, the firm issued a report on a massive espionage operation run by an entity they dubbed “The Equation Group” that was widely understood to be the NSA. The report revealed NSA tools and capabilities, causing great concern within the agency and the Obama administration.

Then in September 2017, the US government moved to ban the use of Kaspersky software by federal agencies amid concerns the company’s software could enable Russian spying. Kaspersky has issued public statements denying it helps any government with cyber-espionage.

The Twitter messages Kaspersky shared with federal authorities helped provide the legal basis for a magistrate judge to issue a search warrant for Martin’s Twitter account and then for his house.

“Although [his] Twitter messages could have had any number of innocuous meanings in another setting,” their timing and his access to the tools made for “a fair probability” that a search would turn up evidence of a crime, wrote US Judge Richard Bennett in a December memorandum explaining his decision not to suppress evidence obtained by the FBI.

On Aug. 27, 2016, two weeks after Shadow Brokers made its first release online of NSA’s hacking tools and as Russia was engaged in an operation to interfere in the US presidential election, nine SWAT agents dressed in protective gear, some with guns drawn, confronted Martin at his home, according to Bennett’s memo.

Martin was placed face down on the ground and handcuffed. Then he was interrogated by three FBI agents for four hours. More than a dozen officers searched Martin’s home, shed and car, according to the memo. They were stunned by the material they found – six banker’s boxes worth of paper documents, dozens of computers, thumb drives and other digital storage devices that belonged to the government, prosecutors said.

Martin’s haul included more than 75 percent of the NSA’s hacking tool library, some US officials said. Prosecutors said he took the government data over a 20-year period – the result, his lawyer has said, of a “compulsive” hoarding habit.

Martin held a series of contracting jobs and worked at the NSA from 2012 to 2015, where he was an employee of Booz Allen Hamilton. He worked at the agency’s Tailored Access Operations unit, which created and deployed the tools used to hack into networks around the world for intelligence.